Scammer used fake court order to take over dark web drug market directory
Image: LagartoFilm via Getty Images
Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and reports on the dark underbelly of the Internet.
Fraudster used a bogus court order to convince a domain registrar to transfer ownership of a domain that lists drug markets on the dark web, then used it to direct the sites to their own copies of the markets designed to steal people’s bitcoin.
Hackers often create sites that look like dark web markets, but the use of a bogus court ruling is unusual. It has some similarity to how crooks use fake brands to convince Instagram to transfer ownership of valuable usernames.
“I had 2FA and PGP enabled for this account. I’m not a security jerk,” Dark Fail, the pseudonymous administrator of the hijacked dark.fail site, told Motherboard when taking account control. Last week.
Do you know anything else about this phishing campaign? We would love to hear from you. Using a non-professional phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or send an email to [email protected]
Dark.fail is a site that aims to provide trusted links to dark web markets.
“This resource is intended for searchers only. I do not guarantee any sites,” a post about the Tor Hidden Service version of the site currently read.
After the domain hijacking, the attacker replaced every link with a phishing site, according to a post on dark.fail posted after Dark Fail regained control of the domain.
âEach site looked real but instead shared all user activity with the attacker, including passwords and messages. The cryptocurrency addresses displayed on these sites have been rewritten as addresses controlled by phisher, intercepting many people’s money, “the post read.
Dark.fail has been registered with the privacy-focused domain registrar Njalla, who in turn uses the Tucows registrar for .fail domains, according to a tweet from Njalla and the co-creator of The Pirate Bay Peter Sunde Kolmisoppi.
Sunde added that Tucows received a court order on April 28 listing the domain names that a German court allegedly wanted to hand over.
“The PDF looks like a real court order, I’ve seen a lot of it,” Sunde wrote. “But this one is wrong.” He used language previously used in a real court order to enter a different area, he added. He wrote that the forged document also included a gag order, meaning that neither Njalla nor Hover, another affected registrar, were notified of the transfer.
Sunde told Motherboard in an online discussion that Tucows shared a copy of the bogus order with him.
“We have looked at it in detail and are quite certain that it is possible to narrow down the suspects a bit by having access to more evidence,” Sundes added. He told Motherboard that he had agreed not to share a copy of the bogus order itself, as it was evidence in a possible criminal investigation.
Sundes said in another tweet, the dark.fail domain was transferred to registrar Namecheap, who did not suspend the domain despite being used for an active phishing campaign because he believed the court order was legitimate. A few days later, Njalla was able to recover the dark.fail domain.
Namecheap said in a statement that “Namecheap responsibly and thoroughly investigates all reported allegations of abuse. We are also proactive in identifying individual abuse, large-scale abuse patterns, and we work with federal agencies to collectively address new forms of abuse. We are in regular contact with the forces of the order and voluntarily provide analysis of what we see, how we try to tackle abuse and how we can best work together to find ways to stop any fraud discovered. “
The statement also challenged Namecheap’s belief that the bogus court order was legitimate. “In this case, we received no actionable evidence of phishing or abuse from Tucows or Njalla (a Tucows reseller) and immediately initiated an internal investigation upon receipt of a transfer dispute request. For clarity, Namecheap never stated that the court order was legitimate, nor have we received a copy of a court order in Tucows or Njalla. After investigating the case, and without knowing what led Tucows to initially authorize the transfer of the domains to Namecheap, we quickly determined that a court order provided to us by the new owner was a forged document. We then began the process of transferring domains to Tucows. Namecheap suspended the domains for phishing prior to their transfer to Tucows, along with two other related domains that we have identified were used in this incident of abuse,” the added statement.
“Our results show that Tucows was the victim of a complex phishing scheme presented under the guise of a secret court order. It was hyper-targeted phishing designed with the direct intention of hijacking certain people. areas, “Madeleine Stoesser, public relations and corporate communications manager at Tucows, said in a statement. âWe immediately took steps to successfully recover the domains and implemented new processes to mitigate future issues. As the world’s second-largest domain name registrar by volume, Tucows is committed to maintaining the privacy and security of domains and our customers. â
In 2016, the Justice Department announced charges against someone for running dark web phishing sites. He was sentenced just over a year in prison.
âOnce someone controls your domain, you give a toast,â Dark Fail told Motherboard.
Update: This exhibit has been updated to include statements from Tucows and Namecheap.
Subscribe to our CYBER cybersecurity podcast, here.